Vulnerability Development mailing list archives
RE: Online Games Consoles and Security Implications
From: "Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>
Date: Fri, 24 May 2002 09:37:52 +0100
Of course, if you did manage to hack an XBox and load some DDOS client on it, you still need to worry about how to ensure it runs at every boot and that a game doesn't knock it out. On top of all that I'd say the risk is lowered anyway - how many people leave their console on & online 24hrs a day ready to participate in an attack? Effort -v- Result, who is going to hack out a DDOS network only to find they can't use it when they need it. £0.02. Ian Kayne Technical Specialist - IT Solutions Softlab Ltd - A BMW Company
-----Original Message----- From: Elan Hasson [mailto:elan () daryl org] Sent: 22 May 2002 18:36 To: Evans, TJ; vuln-dev () securityfocus com Subject: RE: Online Games Consoles and Security Implications Exactly, its common knowledge the more code you have, the more room for error(bugs). ALOT of functionality was ripped from the kernel to have it run on xbox, the docs do say something about 'no ntfs, no ACLs' etc.. everythings running in ring0 from what i understand. -----Original Message----- From: Evans, TJ [mailto:tjevans () kpmg com] Sent: Wednesday, May 22, 2002 5:58 AM To: vuln-dev () securityfocus com Subject: RE: Online Games Consoles and Security Implications Not to step into an area that I know little about <xbox security>; but I think " If Microsoft could secure a game console running Win2K you'd imagine Win2K and XP would be a lot more secure then they appear to be." Is something of a logical fallacy. Keep in mind - we are talking about separate worlds here - a game console is something that, for the most part, need to perform *ONE SET OF FUNCTIONS*. Making hardware, software and peripherals work together in a secure, FAST fashion when you only need to do 1 set of functions, and when user tinkering is <by default> limited/non-existent (not counting those of you who crack the case open and really get into them :)> is *nowehere* near as difficult as trying to make an OS/platform that needs to support thousands of pieces of 3rd party software, hardware and has users breaking it in countless unimaginable ways ... </$.02> Thanks! TJ -----Original Message----- From: Elan Hasson [mailto:elan () daryl org] Sent: Tuesday, May 21, 2002 10:25 PM To: Stan Bubrouski Cc: vuln-dev () securityfocus com Subject: RE: Online Games Consoles and Security Implications heh, nintendo was cool.. I own an xbox myself. I'm VERY happy with it. i should probably install the xdk again and post some of the docs to the list. It was saying how all the packets are encrypted and stuff and how it can take a DoS (for example, something that could 'clog the pipe') and be able to drop the packets and sort through the garbage-data and not affect game performace packets or something. Yes, it does run a Windows2000 kernel (slimmed down of course) I've even played with dissassembling xbox images. Its nice stuff. VERY nice. MS did an excellent job with it. the fact that all of the software runs on a harddrive and isn't on a chip is a BIG plus. That gives the ability for people to download updates and stuff to it...hehe XBOX-service pack 1 anyone? HEH! -----Original Message----- From: Stan Bubrouski [mailto:stan () ccs neu edu] Sent: Tuesday, May 21, 2002 8:15 PM To: Elan Hasson Subject: Re: Online Games Consoles and Security Implications Elan Hasson wrote:The xbox is VERY secure, read the docs on Network Securityin the SDK.MS even has a bit in there about Denial Of Service..and howthe xbox canhandle it and not affect game performance.REDICULOUS. They call Win2k very secure. They call IE very secure. The bottom line is that it is a Microsoft product with embedded Win2k code (correct?). This is quite the contrary to what you suggest. If Microsoft could secure a game console running Win2K you'd imagine Win2K and XP would be a lot more secure then they appear to be. What Microsoft writes and what Microsoft does are two different things, you can't guarentee security, you can only try to ensure it by taking the proper steps. I recall Bill Gates calling Windows one of the most secure OS's, A FLAT OUT LIE. Not trying to start a flame war, so let's not, just pointing out to kids that might be reading this, that there is no proof the XBoX is more secure than PS2 or anything else. You want security, pull out your old 1986 nintendo ;-) Best Regards, Stan Bubrouski ************************************************************** ************** * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ************************************************************** ************** *
******************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use of the information contained within this email or attachments is strictly prohibited. Internet communications are not secure and Softlab does not accept any legal responsibility for the content of this message. Any opinions expressed in the email are those of the individual and not necessarily those of the Company. If you have received this email in error, or if you are concerned with the content of this email please notify the IT helpdesk by telephone on +44 (0)121 788 5480. ********************************************************************
Current thread:
- Re: Online Games Consoles and Security Implications, (continued)
- Re: Online Games Consoles and Security Implications hellNbak (May 21)
- Re: Online Games Consoles and Security Implications Dave (May 21)
- RE: Online Games Consoles and Security Implications Steve Maks (May 21)
- Re: Online Games Consoles and Security Implications kawaii (May 21)
- RE: Online Games Consoles and Security Implications Vasisht Tadigotla (May 21)
- Re: Online Games Consoles and Security Implications Ryan Verner (May 22)
- Re: Online Games Consoles and Security Implications Vasisht Tadigotla (May 23)
- Re: Online Games Consoles and Security Implications hellNbak (May 21)
- RE: Online Games Consoles and Security Implications Elan Hasson (May 21)
- RE: Online Games Consoles and Security Implications Evans, TJ (May 22)
- RE: Online Games Consoles and Security Implications Elan Hasson (May 23)
- RE: Online Games Consoles and Security Implications Kayne Ian (Softlab) (May 24)